The FTC Reports on the Internet of Things: Things That May Invade Our Privacy

The Internet of Things arguably makes our lives easier, but in doing so, does it compromise other values we hold dearly? The Internet of Things is a system whereby objects that are commonplace in a normal lifestyle can connect to the Internet, enabling them to send and receive data to optimize or otherwise increase their abilities and functionality. With such increases in functionality, however, comes the ever-present risk that frequently accompanies changes in technology: Will this have a negative impact on our privacy? This is the very question the FTC sought to address in its report on the Internet of Things distributed last week. (We previously reported on the FTC’s preliminary examination of the Internet of Things here.) The new report discusses general ideas regarding the Internet of Things and sets forth best practices for businesses to follow in order to retain adequate consumer confidence in the products and the distributing companies themselves.

The Internet of Things presents many potential benefits to consumers. Among other things, it can be used to encourage and optimize energy efficiency throughout a household through integration with various appliances. It can also protect drivers on the roadway by warning drivers of various dangers, aiding in the development of autonomous vehicles (a topic previously discussed on this blog here and here). Further, the Internet of Things can help patients with medical conditions better communicate with their physicians to better manage their conditions. However, with such benefits, the FTC has also identified several security risks created by integration of the Internet of Things, namely: (1) enabling potential unauthorized access to personal information, (2) facilitating attacks on other systems, and (3) creating risks to personal safety.

Responding to such contemplated risks inherent in the Internet of Things, while still seeking to retain the associated benefits, the FTC report suggests various best practices to be taken to ensure the proper use and implementation of the Internet of Things. First, adequate security measures must be implemented in order to protect consumer information. However, the degree of security necessary is admittedly dependent on the amount and sensitivity of data collected. Nevertheless, such security concerns should be addressed immediately, in all aspects (both within and outside the company), and continuously throughout the lifecycle of the object in question. Second, any data collected by an object considered a part of the Internet of Things (and the company affiliated with such object) should be limited to the least amount necessary to function effectively, and should be kept no longer than necessary. Third, to the extent available, notice should be provided to consumers regarding the type and extent of personal data collected, and if possible, the choice whether or how much of such data is collected. The FTC report does not however address the practical difficulties inherent in this factor.

In the end, the FTC considered whether legislation is appropriate for this area. Although ultimately determining that legislation specific to the Internet of Things would be unwise, unduly stifling the potential for innovation and advancement in this area, the FTC did state its desire to have legislation in place that will continue to protect privacy and security, yet remain flexible enough to allow continued growth of this technology. Ultimately, the FTC seems to be doing its best to allow and encourage advancing technology, but is still staying true to its roots by expressing its concerns regarding consumer protection in the realm of new, and somewhat mysterious, technologies.